| From 286930797d74b2c9a5beae84836044f6a836235f Mon Sep 17 00:00:00 2001 |
| From: David S. Miller <davem@sunset.davemloft.net> |
| Date: Wed, 7 Mar 2007 12:50:46 -0800 |
| Subject: IPV6: Handle np->opt being NULL in ipv6_getsockopt_sticky() [CVE-2007-1000] |
| |
| This fixes http://bugzilla.kernel.org/show_bug.cgi?id=8134 |
| |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Chris Wright <chrisw@sous-sol.org> |
| --- |
| net/ipv6/ipv6_sockglue.c | 10 +++++++--- |
| 1 file changed, 7 insertions(+), 3 deletions(-) |
| |
| --- linux-2.6.20.1.orig/net/ipv6/ipv6_sockglue.c |
| +++ linux-2.6.20.1/net/ipv6/ipv6_sockglue.c |
| @@ -796,11 +796,15 @@ int compat_ipv6_setsockopt(struct sock * |
| EXPORT_SYMBOL(compat_ipv6_setsockopt); |
| #endif |
| |
| -static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_opt_hdr *hdr, |
| +static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_txoptions *opt, |
| char __user *optval, int len) |
| { |
| - if (!hdr) |
| + struct ipv6_opt_hdr *hdr; |
| + |
| + if (!opt || !opt->hopopt) |
| return 0; |
| + hdr = opt->hopopt; |
| + |
| len = min_t(int, len, ipv6_optlen(hdr)); |
| if (copy_to_user(optval, hdr, ipv6_optlen(hdr))) |
| return -EFAULT; |
| @@ -941,7 +945,7 @@ static int do_ipv6_getsockopt(struct soc |
| { |
| |
| lock_sock(sk); |
| - len = ipv6_getsockopt_sticky(sk, np->opt->hopopt, |
| + len = ipv6_getsockopt_sticky(sk, np->opt, |
| optval, len); |
| release_sock(sk); |
| return put_user(len, optlen); |
